HIPAA does not prohibit AI use in healthcare administration. It requires that Protected Health Information be handled appropriately when it is involved: with Business Associate Agreements in place, with minimum necessary standards applied.
And with access controls and documentation appropriate to the risk level.
Most of the operational AI workflows that produce the highest returns for a $15M healthcare provider do not involve PHI at all. The ones that do can be managed within the HIPAA framework.
The risk that most healthcare operators are managing around is the undocumented AI use already happening on the team: the billing team member who is already using
ChatGPTwithout a BAA, without a de-identification standard, and without a work product review. The implementation that addresses this risk is the same implementation that produces the operational returns.
This article gives a specific, practical AI implementation guide for a $15M healthcare provider: the compliance framework first, then the workflows, then the adoption sequence.
The goal is an AI system that produces measurable operational returns and produces documentation that is defensible if it is ever reviewed.
Before reading this article, it helps to understand the broader AI strategy for healthcare companies — this implementation guide assumes you have already identified the operational workflows where AI delivers value and are now ready to build the compliance infrastructure to support them.
The compliance risk landscape
Risk 1: HIPAA violations from undocumented PHI entry
The scenario: a billing team member types a patient’s name, date of birth, and diagnosis into ChatGPT to draft an appeal letter, without a BAA with OpenAI, without a de-identification standard, and without any organisational documentation of the AI use.
If this is discovered during an audit or breach investigation, the organisation has three problems:
- A potential HIPAA violation for sharing PHI with a third party without a BAA
- No documentation that the interaction occurred in a controlled process
- No evidence that a governance framework was in place
The mitigation: the formal AI implementation with a signed BAA, a documented de-identification standard, and a staff training record closes all three gaps.
Risk 2: State privacy laws more restrictive than HIPAA
Several states have enacted healthcare privacy regulations that are more restrictive than federal HIPAA in specific areas.
| State | Relevant law | Key addition |
|---|---|---|
| California | CMIA, CPRA | Broader consumer rights over electronic health information |
| New York | SHIELD Act, Health Data Privacy Act | Additional requirements for healthcare-adjacent data |
| Washington | My Health My Data Act 2024 | Broad coverage including data HIPAA does not cover |
The mitigation: the AI use policy should note applicable state law requirements. For most operational AI workflows (administrative correspondence, management reporting, staff communications), state law requirements mirror the federal framework. For workflows involving data covered by more expansive state health privacy laws, legal review is warranted.
Risk 3: OIG and CMS audit exposure for AI-assisted clinical documentation
If the organisation uses AI to assist with clinical documentation (care plan notes, treatment summaries, clinical necessity statements), the AI-assisted documentation must be reviewed and attested to by a qualified clinician.
This article focuses on operational AI, not clinical AI. Any AI use on clinical documentation requires clinical review attestation in the medical record.
Risk 4: Accreditation and licensing audit findings
For organisations under Joint Commission, CARF, or state licensing accreditation, AI use may be reviewed as part of a quality management or information management audit.
Without a documented AI governance framework, an auditor finding AI use in operations without a documented policy may generate a finding.
The mitigation: the one-page AI policy document described in the governance framework below satisfies the auditor’s governance requirement.
The five-component compliance framework
Component 1: HIPAA risk assessment update
What it is: an update to the organisation’s existing HIPAA Risk Assessment to include AI tool use as a component of the technical safeguards analysis.
What the update covers:
- The AI tools being used (names, versions, data handling terms)
- The types of PHI that may be processed through AI tools
- The safeguards in place (BAA, de-identification standard, access controls, audit log)
- The residual risk level
Time to complete: 2 to 3 hours with the compliance officer.
Documentation: the updated risk assessment narrative, dated and signed by the responsible party.
Component 2: Business Associate Agreement
The current status of BAAs from major providers (as of 2026):
| Provider | BAA availability | Key terms |
|---|---|---|
Anthropic (Claude Teams Enterprise) | Available. Enterprise tier required. | Zero Data Retention option available. |
OpenAI (ChatGPT Teams) | Available. Teams tier with healthcare configuration. | Healthcare-specific data handling commitments in BAA addendum. |
| Google Workspace AI | Covered under existing Google Workspace BAA for healthcare customers. | No additional BAA required if existing Workspace BAA is in place. |
Microsoft (Copilot for M365) | Covered under existing Microsoft 365 healthcare BAA. | No additional BAA required if existing M365 BAA is in place. |
Implementation note: if the Zero Data Retention (ZDR) option is available and the workflow involves significant PHI, ZDR is the appropriate configuration. ZDR prevents the AI provider from retaining prompt and output data, eliminating the data breach risk from the vendor’s systems.
Time to complete: BAA signature is a form submission on the vendor’s enterprise portal. Typically 1 to 5 business days.
Component 3: De-identification standard for AI inputs
The three-category structure:
Category A: Fully de-identified (no BAA required, lowest risk)
- Aggregate statistics (“35 claims were denied for medical necessity in October, average claim value $1,800”)
- General case descriptions without patient identifiers (“Adult female patient, primary diagnosis depression, treatment plan includes weekly CBT”)
- Template language developed from de-identified case patterns
Category B: Minimum necessary PHI (BAA required, ZDR recommended)
- Specific patient-referenced payer appeal letters
- Authorization requests with clinical necessity documentation
- Care coordination communications with clinical details
Category C: PHI not appropriate for current AI tool use
- Raw EHR data exports
- Unredacted medical records
- Sensitive category PHI (mental health, substance use, HIV status): heightened protection requirements apply
Format: a one-page reference document, reviewed by the compliance officer, accessible to all administrative staff.
Time to complete: 90-minute session with the compliance officer and the billing manager.
Component 4: Work product review and documentation requirement
The documentation approach:
For billing and payer communications: a notation in the billing system noting AI assistance used, reviewer name, date.
For administrative correspondence: a notation in the document history noting AI assistance used, reviewer name, date.
For compliance documentation: a notation in the compliance calendar or document register.
The staff accountability: the reviewing staff member is accountable for the accuracy and appropriateness of the AI-assisted document. This review requirement is the human oversight standard that makes AI use appropriate under professional and regulatory standards.
Time to complete: 30 to 45 minutes to document the notation convention.
Component 5: Staff training on the AI use policy
A 30-minute training session for all administrative staff covering:
- Approved AI tools (names and tiers): 5 minutes
- Approved workflow types and the de-identification standard for each: 10 minutes
- What not to enter into AI tools (Category C PHI): 5 minutes
- The review and documentation requirement: 5 minutes
- Where to ask questions about AI tool use: 5 minutes
Training record: a sign-off sheet or LMS completion record showing each staff member’s training completion date.
This record is the documentation that protects the organisation in an audit or enforcement action. It demonstrates that staff were operating within a documented policy.
Time to complete: 30 minutes per training group. For a 30-person administrative team: two sessions.
The implementation sequence — compliance first, then workflows
Week 1: Compliance framework
| Day | Activity |
|---|---|
| 1 to 2 | Update the HIPAA Risk Assessment to include AI tool use |
| 2 to 3 | Sign the BAA with the chosen AI tool provider |
| 3 to 4 | Draft and review the de-identification standard with compliance officer and billing manager |
| 4 to 5 | Document the work product review notation convention |
By end of week one: the compliance framework is in place. AI use can begin under the documented governance structure.
Week 2: Foundation build
Three sessions of 90 minutes each:
- Session 1 (billing manager): payer communication vocabulary guide
- Session 2 (practice administrator): referral source communication standards, staff communication standards
- Session 3 (compliance officer + operations manager): compliance documentation vocabulary, operations reporting format
By end of week two: the healthcare-specific Foundation elements are built and loaded into the shared workspace.
Weeks 3 and 4: First workflow deployment and training
Week 3: payer appeal workflow deployed and tested against five historical denials. Billing team trained on the workflow using real current claims.
Week 4: referral source communication workflow and operations briefing workflow deployed. Practice administrator and operations manager trained.
By end of week four: three workflows running, all trained staff using them, adoption tracking log in place.
Weeks 5 and 6: Staff training and adoption monitoring
Staff AI use policy training for all administrative staff. Adoption tracking log reviewed at end of week five. Adjustments made to any below-threshold workflows. First operations briefing produced and delivered to management team using the new workflow.
By end of week six: full administrative team trained, six-week compliance and adoption documentation package complete and filed.
The governance documentation package at week six
By the end of the six-week implementation, the organisation has:
- Updated HIPAA Risk Assessment with AI tool use documented
- Signed BAA with the AI tool provider
- De-identification standard (one page, compliance officer-reviewed)
- Work product review notation convention (documented in billing and administrative systems)
- Staff training records for all administrative staff
- Adoption tracking log showing workflow usage and review compliance
This package constitutes the governance documentation that would satisfy an OIG audit, a CMS compliance review, or an accreditation audit on AI governance.
Common compliance questions — answered specifically
”What if we already have staff using AI without these controls?”
Address it directly:
“We are formalising AI governance. As of [date], all AI tool use on patient-adjacent work must follow the documented policy. This includes tools you are currently using. Please review the de-identification standard and the approved tool list.”
The staff member who was using an unapproved tool without a BAA has created an exposure. The formal policy, applied prospectively, does not retroactively create a violation but does document the governance structure going forward.
Consult legal counsel if there is any specific incident that may have involved a HIPAA breach.
”Does our EHR vendor’s BAA cover AI tool use?”
No. The EHR vendor’s BAA covers that vendor’s handling of your data in their system. A separate BAA with your AI tool provider (Anthropic, OpenAI, Google, Microsoft) is required for those tools.
”What if our malpractice carrier asks about AI use?”
Several professional liability carriers have begun asking about AI governance as part of renewal conversations in 2026. The documentation package produced by this implementation directly addresses the governance questions carriers are asking.
A practice with documented AI governance is in a better position than one with undocumented ad hoc AI use.
”What about state-specific requirements in California or New York?”
The compliance framework in this article establishes the federal HIPAA baseline. Organisations in California (CMIA, CPRA) or New York (SHIELD Act, Health Data Privacy Act) should have the de-identification standard reviewed by healthcare legal counsel for state-specific requirements.
For most operational AI workflows (administrative correspondence, management reporting), the federal framework is sufficient.
”Do we need to disclose AI use to patients?”
There is no current federal HIPAA requirement for patient disclosure of AI use in administrative operations. Several state laws are developing disclosure requirements for AI use in clinical contexts.
For operational AI, patient disclosure is not currently required under applicable federal or most state law. Include a brief AI governance notice in the organisation’s privacy notice as a best practice.
Want the HIPAA compliance framework built alongside the AI Foundation, so the governance documentation is complete before the first payer appeal letter is drafted?
The healthcare operator who implements AI without a compliance framework creates exposure. The one who avoids AI because of HIPAA concerns misses the operational returns while the compliance risk from undocumented ad hoc AI use accumulates.
The five-component governance framework takes one week to build, produces documentation that satisfies an audit or enforcement review, and enables the operational AI workflows that recover 30 or more hours per week of administrative staff time.
Path one: start the risk assessment update today. Open your existing HIPAA Risk Assessment. Add a section for AI tool use: the tools being considered, the PHI types that might be processed, and the planned safeguards. This one addition is the first step in the governance documentation package.
Path two: bring in a partner. Phos AI Labs builds the compliance-first implementation sequence where the governance framework is established in week one before any AI workflows are deployed. The documentation package is complete by week six. We have run 400+ AI engagements. Clients include Zapier, Coca-Cola, Medtronic, Dataiku, and American Express. Thirty minutes, no deck. Start here.
Related articles
- The Right AI Stack for Your Industry
- Best AI Consultants for Distribution and Logistics Businesses in 2026
- AI Strategy for Your Manufacturing Company: What Actually Works
- A 12-Month AI Roadmap for Your $20M Services Company
- How to Build an AI Chief of Staff
- Claude Opus 4.8: What It Means for Business Workflows